By Kim Smouter
Why a scan, either conducted by ESOMAR or someone else is key to getting GDPR right
We are now officially living in a GDPR world, after years of negotiations and a two-year ‘transition’ period, the EU GDPR (or General Data Protection Regulation if you’d rather call it by its full name) entered into force in May. Its arrival was heralded with a flurry of emails of all shapes and sizes reaching the inbox of people from the four corners of the world. Thanks to that flurry of emails, if you didn’t know about GDPR before May, your inbox certainly told you about it in the meantime! But, if one looks carefully at all the emails, one can also see patent misunderstandings of the legal requirements to secure consent which has to be informed, unambiguous, freely given, and affirmed by a clear action. The wide variety of emails with an equal diversity of calls to actions (opt-in, opt-out, only opt-in if you want something changed…), some might say companies missed the plot or at least followed less than informed advice! So, whilst the reality might be that there is more awareness than ever before about the EU GDPR’s existence, to say that we all understand what exactly it entails is a whole other enchilada, or cookie, or whatever national dish is best placed at the end of this sentence.
As the global voice for market, opinion and social research and data analytics, ESOMAR has accompanied the drafting process of the EU GDPR, lobbying on the expansion of the research definition and attempting to secure a wide applicability to the derogations and opportunities offered for processing conducted for a research purpose. In that context we’ve gained a lot of knowledge about the GDPR, what motivated certain obligations, and which ones proved to be particularly difficult to iron out. That expertise is being leveraged for members and by members to improve their GDPR readiness programmes, and for those who already have come a long way in their journey to GDPR compliance to have an independent assessment confirming that the processes in place indeed meet the requirements of GDPR. One of our most popular webinars leading to the GDPR’s adoption was our recommended 12-steps programme which outlined steps that could be taken by companies to achieve a robust compliance programme and have it up and running a year before the GDPR came into play.
The first step to that programme was assembling a multi-function team to steward the GDPR compliance programme in the organisation because personal data flows go in and out of a company in ways that no single function can realise. Having someone in charge of this is critical to the business bottom line because Data Protection Authorities tasked with enforcing the law will be less forgiving of companies that have put zero effort in setting up a programme. If you haven’t started with your GDPR compliance programme, that team is going to have a lot of work to do and will need support from the entire organisation to catch up on lost time. But never fear, it is better to start the process now and to do it right than to rush and declare yourself GDPR Compliance ready before you are. As the US data protection authority demonstrates, the FTC uses what you say and do against you in its decisions and there’s no reason why an EU data protection authority wouldn’t do the same moving forward.
One of the important first task this team will need to complete is the conducting of what we like to call a data-mapping scan of the organisation. Even at ESOMAR not a day goes by that we don’t discover a third-party that we haven’t accounted for because it was part of a project run by an internal team and having little impact on the core business functions. It’s these ‘under-the-radar’ processing and transfer activities that can prove particularly difficult to catalogue completely. The objective of a scan should therefore be to zero-in on all the personal data that is collected, processed, and transferred by the organisation and to have a single place which records all of these. The secondary objective of the scan is to identify which of these processes are currently correctly covered by the right legal base, an appropriate retention period, the right communication to the data subject, and subject to the appropriate data processing agreements if it gets passed on further than the organisation. The third objective of the scan is to identify activities and processes where the organisation is not meeting or unlikely to meet GDPR requirements and to identify these as priority tasks for the teams to resolve and thereby improve the GDPR readiness of the company.
Conducting a scan isn’t easy, even the scan conducted by the ESOMAR Plus team takes easily a good day to conduct just to go through the core functions and to identify the top-line processing activities that might fall under scope of the GDPR. But even the exercise of the on-site scan proves useful for both the organisation and the ESOMAR Plus team because it will form the basis of an action plan and will reassure the organisation that it has a greater visibility of what exactly it is collecting and holding that may become a sitting liability for the organisation. What we’ve found useful with our first ESOMAR Plus subscribers is that by having an external team looking at the organisation it also allows us to identify processes that might be so embedded in the organisation that the organisation itself doesn’t see them for what they are. During the scan nothing should be left unseen or unknown as an incomplete scan only will lead to more difficulties moving forward.
The scan is conducted alongside the business entities that are running the core business operations, it’s a series of simple interviews with the team where we ask them to describe what they collect that might be classified as personal data, how they collect it and work with it and simply get them to talk about their job. A scan shouldn’t be about judging the business operation simply catalogue what the business operation is like today. So, we go methodically by first understanding the research processes that are collecting personal data, looking at the IT systems that are making the processing and transfer possible, looking at the contractual framework that governs the organisation and its relationship with its business partners, we look at marketing, HR, finance, senior management… all of it must be in scope of the scan for it to be of use to the organisation later. It’s quite an intensive exercise and combined with our half-day training that briefs teams about the key principles of GDPR, we often find that this exercise will sensitize the teams about just how much personal data actually transits through an organisation and the important caretaker role each employee has as regards to that personal data too.
Organisations that go through the exercise will come out the other hand with a data processing map that consequently allows them to be clearer in their own privacy policies and notices which improves the quality of the information provided to the data subject and decreases the risk of a compliance action against the organisation. One shouldn’t underestimate the quality of that information because most legal bases for processing require clear, transparent, understandable information to be provided to the data subject and failing that, the data subject can always question the legality of the data you’ve collected about them (whether that be a respondent or a member of staff!).
Performing a scan isn’t a one-hour meeting exercise (if only it could be!), teams need to prepare for it, need to review and assess their current and past projects and the way they work, and these things take time. For those conducting the scan and issuing the report, that process can also easily take (for a small, straight-forward organisation) a full-week from the site visit to producing the report, but as a result of it, the organisation should have a clear understanding of what it needs to do in the coming months to build a compliance programme that prioritises addressing where the organisation and the personal data it has collected are most exposed, and only afterwards, dealing with the processes which are relatively secure. Getting all the stakeholders around the table also often takes time, and with the countdown now completed, time is even more urgent in the event a data subject decides to activate the rights they have on the data you’re holding.
Data protection authorities are already actively investigating the first complaints and whilst the headline-grabbing tech brands will be the first targeted, one shouldn’t underestimate research organisations and their clients entering their radar as well in the near future.
So, the question is, have you conducted a scan, and if not, maybe it’s time to ask ESOMAR to conduct one for you so you’re able to demonstrate you’ve started your compliance journey? Because wherever you as a company decide to go, one good thing to always have is a map – whether it’s on your smartphone, in your head, or indeed on paper! That’s what the scan’s outcomes will represent for your company, and the rest you’ll find, will fall right into place.
Good luck on your compliance journey and remember that you have a partner in ESOMAR to support you to get there.
Kim Smouter is Head of Public Affairs and Professional Standards at ESOMAR.